oss-security mailing list

Hash Suite - Windows password security audit tool. GUI, reports in PDF.

oss-security mailing list

	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov	Dec
2026	141	103	190	264
2025	92	75	93	105	94	100	69	75	107	112	106	140
2024	80	100	178	197	72	47	128	107	58	52	87	44
2023	69	62	100	107	99	78	87	60	122	198	86	101
2022	116	50	47	79	83	58	77	86	76	70	95	108
2021	92	91	98	90	88	59	61	82	49	76	60	47
2020	52	47	38	82	70	67	76	64	71	85	90	66
2019	102	48	49	86	51	103	107	80	71	75	67	70
2018	122	81	84	81	71	104	71	135	78	120	75	84
2017	252	278	171	171	209	278	225	157	214	162	196	93
2016	258	207	271	183	267	193	214	184	287	294	257	241
2015	377	336	355	319	277	243	266	197	195	206	205	208
2014	214	252	249	211	183	317	273	201	413	485	382	318
2013	217	323	246	258	200	201	260	265	163	203	182	199
2012	333	189	294	216	234	128	150	207	234	192	191	161
2011	153	169	318	354	159	224	258	164	137	203	241	146
2010	72	96	123	118	115	142	119	144	203	84	187	139
2009	89	81	75	114	96	59	84	99	102	122	108	74
2008		104	103	143	136	112	150	125	127	123	128	107

Recent messages:

2026/04/29 #1: CVE-2026-40560: Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence (Timothy Legge <timlegge@...nsec.org>)
2026/04/28 #23: Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/28 #22: Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 (Dmitry Butskoy <buc@....spb.ru>)
2026/04/28 #21: Re: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 (Dmitry Butskoy <buc@....spb.ru>)
2026/04/28 #20: [SECURITY] Out-of-Bounds Read in MPLS Extension Parsing — traceroute 2.1.2 (MOHAMED AZIZ RAHMOUNI <mohamedaziz.rahmouni@...at.ucar.tn>)
2026/04/28 #19: Re: Coordinated Disclosure in the LLM Age (Greg Dahlman <dahlman@...il.com>)
2026/04/28 #18: Xen Security Advisory 489 v1 (CVE-2026-23559,CVE-2026-23560,CVE-2026-23561,CVE-2026-23562,CVE-2026-42486) - Multiple RB… (Xen.org security team <security@....org…)
2026/04/28 #17: CVE-2026-41873: Pony Mail: Admin account takeover via request smuggling (Arnout Engelen <engelen@...che.org>)
2026/04/28 #16: The GNU C Library security advisories update for 2026-04-28 (Carlos O'Donell <carlos@...hat.com>)
2026/04/28 #15: Coordinated Disclosure in the LLM Age (Jeremy Stanley <fungi@...goth.org>)
2026/04/28 #14: Xen Security Advisory 487 v2 (CVE-2026-31787) - Linux kernel double free in Xen privcmd driver (Xen.org security team <security@....org>)
2026/04/28 #13: Xen Security Advisory 486 v2 (CVE-2026-23558) - grant table v2 race in status page mapping (Xen.org security team <security@....org>)
2026/04/28 #12: Xen Security Advisory 485 v2 (CVE-2026-31786) - Linux kernel out of bounds read via Xen-related sysfs file (Xen.org security team <security@....org>)
2026/04/28 #11: Xen Security Advisory 484 v2 (CVE-2026-23557) - Xenstored DoS via XS_RESET_WATCHES command (Xen.org security team <security@....org>)
2026/04/28 #10: Xen Security Advisory 483 v2 (CVE-2026-23556) - oxenstored keeps quota related use counts across domain destruction (Xen.org security team <security@....org>)
2026/04/28 #9: [CVE-2026-3087] shutil.unpack_archive() doesn't check for Windows absolute paths in ZIPs (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/28 #8: CVE-2025-48431: Apache Thrift glibc language bindings: Specially crafted input can crash a c_glib Thrift server with invalid poin… (Jens Geyer <jensg@...che.org>)
2026/04/28 #7: CVE-2026-41603: Apache Thrift: Java TSSLTransportFactory hostname verification (Jens Geyer <jensg@...che.org>)
2026/04/28 #6: CVE-2026-41602: Apache Thrift: Go TFramedTransport uint32 overflow (Jens Geyer <jensg@...che.org>)
2026/04/28 #5: CVE-2026-41604: Apache Thrift: Swift Range crash in skip() (Jens Geyer <jensg@...che.org>)
2026/04/28 #4: CVE-2026-41605: Apache Thrift: Swift Compact Protocol integer overflow (Jens Geyer <jensg@...che.org>)
2026/04/28 #3: CVE-2026-41606: Apache Thrift: c_glib dispatch stack overflow (Jens Geyer <jensg@...che.org>)
2026/04/28 #2: CVE-2026-41607: Apache Thrift: C++ JSON OOB read (Jens Geyer <jensg@...che.org>)
2026/04/28 #1: CVE-2026-41636: Apache Thrift: Node.js skip() recursion (Jens Geyer <jensg@...che.org>)
2026/04/27 #8: CVE-2026-40355, CVE-2026-40356: MIT krb5 1.18+ Unauthenticated Network read overrun and null pointer dereference (Cem Onat Karagun <cemkaragun@...il.com>)
2026/04/27 #7: [CVE-2026-6357] pip self-update functionality can import newly installed modules after wheel installation (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/27 #6: [OSSA-2026-008] Ironic: Command Injection in IPMI Console Implementations (CVE pending) (Jay Faulkner <jay@....cc>)
2026/04/27 #5: CVE-2026-7040: Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap overflow when processing some malfor… (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/27 #4: ZDRES-059: CVE-2026-41635: Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter … (Emmanuel Lécharny <elecharny@...che.or…)
2026/04/27 #3: CVE-2026-41409: Apache MINA: CWE-502 Deserialization of Untrusted Data (Emmanuel Lécharny <elecharny@...che.org>)
2026/04/27 #2: uriparser 1.0.1 fixes CVE-2026-42371 (integer overflow) (Sebastian Pipping <sebastian@...ping.org>)
2026/04/27 #1: plasma-login-manager: Weaknesses in plasmaloginauthhelper (CVE-2026-25710) (Matthias Gerstner <mgerstner@...e.de>)
2026/04/26 #10: CVE-2026-40860: Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and cam… (Andrea Cosentino <acosentino@...che.org…)
2026/04/26 #9: CVE-2026-40858: Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository (Andrea Cosentino <acosentino@...che.org>)
2026/04/26 #8: CVE-2026-40473: Apache Camel: Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP (Andrea Cosentino <acosentino@...che.org>)
2026/04/26 #7: CVE-2026-40453: Apache Camel: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sj… (Andrea Cosentino <acosentino@...che.org…)
2026/04/26 #6: CVE-2026-40048: Apache Camel: Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager (Andrea Cosentino <acosentino@...che.org>)
2026/04/26 #5: CVE-2026-40022: Apache Camel: Camel-Platform-HTTP-Main: Authentication Bypass on Non-Root Context Paths in camel main r… (Andrea Cosentino <acosentino@...che.org…)
2026/04/26 #4: CVE-2026-33454: Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution vi… (Andrea Cosentino <acosentino@...che.org…)
2026/04/26 #3: CVE-2026-33453: Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet … (Andrea Cosentino <acosentino@...che.org…)
2026/04/26 #2: CVE-2026-27172: Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code executio… (Andrea Cosentino <acosentino@...che.org…)
2026/04/26 #1: libexpat 2.8.0 fixes CVE-2026-41080 (insufficient entropy) (Sebastian Pipping <sebastian@...ping.org>)
2026/04/25 #3: CVE-2026-41081: Apache Storm Client: Anonymous principal assigned on TLS client certificate verification failure (Richard Zowalla <rzo1@...che.org>)
2026/04/25 #2: CVE-2026-40557: Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all… (Richard Zowalla <rzo1@...che.org>)
2026/04/25 #1: bubblewrap CVE-2026-41163: Privilege escalation if setuid root, via ptrace (Simon McVittie <smcv@...ian.org>)
2026/04/24 #5: rust-openssl-v0.10.78 fixes 5 CVEs (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/24 #4: CVE-2026-40690: Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all D… (Rahul Vats <rahulvats@...che.org>)
2026/04/24 #3: CVE-2026-38743: Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities (Rahul Vats <rahulvats@...che.org>)
2026/04/24 #2: CVE-2025-62233: Apache DolphinScheduler: Deserialization of untrusted data in RPC (Wenjun Ruan <wenjun@...che.org>)
2026/04/24 #1: CVE-2026-23902: Apache DolphinScheduler: Users are able to use tenants that are not defined on the platform during workflow exe… (Wenjun Ruan <wenjun@...che.org>)
2026/04/23 #6: CVE-2026-41044: Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All: Authenticated user can perform RCE via De… ("Christopher L. Shannon" <cshannon@...c…)
2026/04/23 #5: CVE-2026-41043: Apache ActiveMQ, Apache ActiveMQ Web: ActiveMQ Web Console - XSS vulnerability when browsing queues ("Christopher L. Shannon" <cshannon@...ch…)
2026/04/23 #4: CVE-2026-40466: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Possible bypass of CVE-2026-34197 via HTT… ("Christopher L. Shannon" <cshannon@...c…)
2026/04/23 #3: PowerDNS Authoritative Server 4.9.14 and 5.0.4 released (Miod Vallat <miod.vallat@...erdns.com>)
2026/04/23 #2: CVE-2026-41564: CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking (Stig Palmquist <stig@...g.io>)
2026/04/23 #1: PowerDNS Security Advisory 2026-03 for PowerDNS Recursor: Multiple issues (Otto Moerbeek <otto.moerbeek@...erdns.com>)
2026/04/22 #8: [vim-security] OS Command Injection in netrw affects Vim < 9.2.0383 (Christian Brabandt <cb@...bit.org>)
2026/04/22 #7: Re: CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow (Steffen Nurpmeso <steffen@...oden.eu>)
2026/04/22 #6: CVE-2026-41651: TOCTOU vulnerability in PackageKit <= 1.3.4 leads to local root exploit (Matthias Klumpp <matthias@...stral.net>)
2026/04/22 #5: [SECURITY] CVE-2026-40542: Apache HttpClient 5.6 SCRAM-SHA-256 mutual authentication bypass (Arturo Bernal <abernal@...che.org>)
2026/04/22 #4: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/22 #3: Re: UAF in rsync 3.4.1 and below (Sam James <sam@...too.org>)
2026/04/22 #2: Re: CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow (Sam James <sam@...too.org>)
2026/04/22 #1: Re: CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow (Sam James <sam@...too.org>)
2026/04/21 #6: CVE-2025-15638: Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/21 #5: CVE-2017-20230: Storable versions before 3.05 for Perl has a stack overflow (Robert Rothenberg <rrwo@...nsec.org>)
2026/04/21 #4: CVE-2026-40706: ntfs-3g 2022.10.3: Heap buffer overflow (Rostislav <rostislav@...era.com>)
2026/04/21 #3: Fwd: X.Org Security Advisory: CVE-2026-4367: libXpm Out-of-bounds read in xpmNextWord() (Olivier Fourdan <ofourdan@...hat.com>)
2026/04/21 #2: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Michael Orlitzky <michael@...itzky.com>)
2026/04/21 #1: Libgcrypt security releases 1.12.2, 1.11.3, 1.10.x (Valtteri Vuorikoski <vuori@...com.org>)
2026/04/20 #9: The GNU C Library security advisories update for 2026-04-20 (Carlos O'Donell <carlos@...hat.com>)
2026/04/20 #8: Fwd: [CVE-2026-3219] pip doesn't reject concatenated ZIP and tar archives (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/20 #7: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Demi Marie Obenour <demiobenour@...il.com>)
2026/04/20 #6: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Morten Linderud <morten@...derud.pw>)
2026/04/20 #5: Re: [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing (Ales Musil <amusil@...hat.com>)
2026/04/20 #4: Re: [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation (Ales Musil <amusil@...hat.com>)
2026/04/20 #3: [ADVISORY] CVE-2026-5367: Heap over-read in OVN DHCPv6 Client ID processing (Ales Musil <amusil@...hat.com>)
2026/04/20 #2: [ADVISORY] CVE-2026-5265: Heap Over-Read in ICMP Error Response Generation (Ales Musil <amusil@...hat.com>)
2026/04/20 #1: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Dimitri Ledkov <dimitri.ledkov@...inguard.dev>)
2026/04/19 #4: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Matthias Ferdinand <ml.oss-security@...dv.net>)
2026/04/19 #3: Re: CVE-2025-27363: FontForge affected by FreeType heap-buffer-overflow; upstream maintainer declines under Community-guidelines #D… (Sam James <sam@...too.org>)
2026/04/19 #2: Re: [CVE REQUEST] terminal-controller-mcp: trivially bypassable command blocklist enables unrestricted RCE (CVSS 10.0) (Alan Coopersmith <alan.coopersmith@...c…)
2026/04/19 #1: [CVE REQUEST] terminal-controller-mcp: trivially bypassable command blocklist enables unrestricted RCE (CVSS 10.0) (Pico 🧬 <pico@...al.dev>)
2026/04/18 #5: CVE-2026-41113: RCE in sagredo fork of qmail (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/18 #4: Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (Solar Designer <solar@...nwall.com>)
2026/04/18 #3: Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (cyber security <cs7778503@...il.com>)
2026/04/18 #2: Re: [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability (cyber security <cs7778503@...il.com>)
2026/04/18 #1: Re: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (diff… (Abhinav Agarwal <abhinavagarwal1996@gma…)
2026/04/17 #17: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Sam James <sam@...too.org>)
2026/04/17 #16: lcms2 <= 2.18 CubeSize() integer overflow: stock Ubuntu 24.04 Poppler / evince-thumbnailer / OpenJDK crashers (differen… (Abhinav Agarwal <abhinavagarwal1996@gma…)
2026/04/17 #15: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Eli Schwartz <eschwartz@...too.org>)
2026/04/17 #14: CVE-2026-40948: Apache Airflow Keycloak Provider: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager (Jarek Potiuk <potiuk@...che.org>)
2026/04/17 #13: Xen Security Advisory 488 v1 - x86: Floating Point Divider State Sampling (Xen.org security team <security@....org>)
2026/04/17 #12: ngtcp2: qlog_parameters_set_transport_params_stack_overflow [CVE-2026-40170] (Alan Coopersmith <alan.coopersmith@...cle.com>)
2026/04/17 #11: cups: 8 various moderate vulnerabilities (Zdenek Dohnal <zdohnal@...hat.com>)
2026/04/17 #10: Re: Go 1.26.2 and Go 1.25.9 are released with 10 security fixes (Matthias Ferdinand <ml.oss-security@...dv.net>)
2026/04/17 #9: CVE-2026-25917: Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5) (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #8: CVE-2026-32228: Apache Airflow: Users with asset materialization permisssions could trigger Dags they had no access to (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #7: CVE-2026-30898: Apache Airflow: Bad example of BashOperator shell injection via dag_run.conf (Rahul Vats <rahulvats@...che.org>)
2026/04/17 #6: CVE-2026-32690: Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1 (Rahul Vats <rahulvats@...che.org>)

32565 messages

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.